COPE Offers IT and Workers an Alternative to BYOD

Smartphones aren't cheap, but they've become our window to the world. We use them to run our lives, stay plugged in and even get some work done. We can't live without 'em. And so we dig into our pockets every month to pay a huge phone bill despite our shoestring budget.

What if your company foot most of the bill?

That would make life so much easier -- assuming, of course, that you could still use the phone for personal activities, too. But there's a catch. Technically speaking, the company would own the phone under a policy called Company Owned, Personally Enabled, or COPE. On a more visceral level, you would also be giving up some expectations of privacy.

Companies embracing COPE as an alternative to Bring Your Own Device (BYOD) understand that they can't expect employees to simply submit to mobility's version of Big Brother. Instead, companies are willing to give away some control and pay a little more to get employees to buy into COPE, in order to sidestep BYOD's security and manageability pitfalls, as well as end the proliferation of shadow BYOD.

It's a tricky scenario, because companies will be asking employees to trust them to do the right thing with a device that the company owns. Lack of trust is what has been derailing BYOD, so will employees accept COPE?

CIO.com spoke with Harjot Sidhu, vice president of consulting services at Vox Mobile, who helps large companies and government agencies plan their enterprise mobility strategies. Sidhu gives his insight into the rise of the COPE alternative.

CIO.com: There have been conflicting reports on BYOD adoption. What are you seeing?

HarjotSidhu: BYOD is a topic in every engagement we have. There's wide variety of demand, pressure, interest. Many organizations are in chaos with the decline of BlackBerry. Now they're dealing with all the other operating systems, platforms, form factors, security threats, applications, you name it.

However, the hype around BYOD is beginning to get corrected. We have noticed that many organizations have some form of COPE, whereas the amount of "Corporate Only, Business Only" COBO programs has become very little. With COBO, every organization started turning a blind eye or officially authorizing personal use of corporate issued devices (thus creating de facto COPE environments).

This has an impact on the demand of BYOD, depending on how attractive the COPE program is. Here's an example: If an organization is still 100 percent BlackBerry and has strict passwords and strict application blacklists, then the demand for BYOD is very high. At other organizations with very attractive COPE policies that offer diversity in devices and privacy assurances for employees, BYOD is hampered.

CIO.com: Where is the opportunity for COPE?

Sidhu: Only about 30-40 percent of employees are issued COPE devices. What about the other 60-70 percent? They're running around with the most powerful piece of technology ever invented and using it to watch videos of cats. They're not connected to the organization, not doing email, not collaborating. You can build a BYOD program and connect their personal devices to the organization, and we've built those programs.

The alternative is extending the COPE program to those additional users.

For the service on a monthly basis, COPE is very straightforward. An employee would opt to pay, say, $50 per month for a corporate device with full personal enablement. If an employee leaves the organization, there's no argument about who owes anyone money. The employee is just propping up the service plan with their own personal payments, similar to propping up a healthcare plan. This extension of the COPE program, where a person can pay into it to get greater capabilities, is starting to happen.

Every organization should be interested in COPE, and the reason is very straightforward. You now have diminishing returns on giving an employee a COBO phone. This seems very counter-intuitive, because a smartphone is now more powerful than it was two or three years ago.

The reason is that the employee has a personal smartphone. If you give a corporate smartphone to an employee who has a personal smartphone, the employee will pay less attention to the corporate smartphone -- even during business hours. With COPE, you give an employee a phone, and they'll abandon their personal device.

CIO.com: Why would an employee sign up for COPE?

Sidhu: This isn't going to work if the employee is running around with two devices. This means that whatever the organization offers in the COPE program must be less expensive to the employee than what they can purchase on the street.

There are a number of other considerations.

You have to ensure access to personal information upon exit. The good news with EMM technology today is that you can do a corporate wipe and then give them the device for an hour to recover the remainder of the information. The other factor is that they have to be able to take their phone number with them.

In BYOD, it's important to reimburse employees. When you're charging employees in a COPE plan, it's even more important to ensure it stops at the appropriate time.

CIO.com: What's more complicated, BYOD or COPE?

Sidhu: Clearly, BYOD will be more complex. COPE environments today don't really have financial flows and financial costs built in. Privacy and tax implications are more straightforward. But this doesn't mean BYOD isn't worth it. We did a business case of an organization that got five minutes of additional uptime per day from previously unconnected employees, which pays for the entire program.

That said, COPE needs an extremely robust policy. A lot of organizations got spoiled with BlackBerry. They could control everything on the device with 400 IT policies. But now with iOS, there's not that level of control. God forbid, you now have to write down the policies, train your employees, and trust them.

You really have to clearly articulate COPE, especially in the separation between personal and corporate and the assurances of privacy. COPE is a new name for something that was naturally occurring -- I've always been given free rein with my corporate device for years -- but now it's becoming far more prominent.

CIO.com: BYOD continues to face trust and privacy issues. Won't this be even more of a problem with COPE?

Sidhu: There's very few COBO; everyone is using their corporate-owned device for personal activity. And so the issue of privacy is prominent regardless.

AirWatch in particular has implemented a very impressive feature that gives back privacy to the employee. The feature allows them to prohibit the view of private information from the administrative console. You can flick a switch and suddenly become compliant to the privacy. Now you can't see, for example, personal applications.

The containers are going to provide privacy.

Everybody likes to knock BlackBerry, but there's strong recognition that BlackBerry Balance is one of the most powerful containerized solutions in the industry. If you're given a BlackBerry 10 device with Balance, and you use Gmail on it, the organization has no visibility -- zero -- unless they seize the device. It doesn't go through corporate systems or the BES, doesn't become audited; BlackBerry has a feature called EMM Regulated, which will force everything through the organization, but very few organizations are implementing that.

Where employees often get caught, using a device with a personal browser while on the corporate WiFi network. This can be seen, but the employee thinks they're in the clear. So it has to be clearly articulated in the policy.

There also has to be a sense of realism. A year or two ago when I was helping organizations write their policy, they would want language around allowing the organization to seize personal hardware in case of a legal dispute. But lately I've been telling them, "Listen, if someone is using Outlook Web access from their home computer and they saved an attachment, do you have the right to seize their home computer?"

I've written COPE policies indicating that an employee has a reasonable expectation of privacy on any form of communication on the mobile device that is not corporate.

If you want to gain productivity out of the currently unconnected employees, which are the majority, and you say, "Absolutely, you can sign up for this program," and the policy says the employee has no expectations of privacy or there's a complex password requirement or there's a blacklist of Facebook or Instagram, what kind of adoption will you get?

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.